Blog for netsec, linux, windows, and hacking! New readers: If you want a list of my posts, check out my "hackive" or "popular posts" on the sidebar! If you want to support my blog there is a donate option, but do not feel obliged as this education is free!

Friday, June 24, 2011

Cracking WEP/WPA/2 networks with Aircrack-ng [Linux]

Now that you have hopefully installed the Aircrack-ng suite and familiarized yourself with some basic Linux commands, we can start cracking WEP and WPA1/2 networks to see the differences in security Wired Equivalent Privacy (WEP) and Wi-fi Protected Access (WPA) provide.

Notice: This is purely for educational value, do not attempt this on a network you do not PERSONALLY own. If you do this on a public or private network that you do not have authorization to do so on, it is illegal and you will probably get caught.

Now, lets start. Open up a new terminal and lets begin (all typed commands are underlined; read the notes section for optional commands):

Make sure you have a "monitoring" interface, this means that your network interface (the thing that interacts with networks) can scan for open/encrypted networks.
To check what interfaces you have, type "iwconfig" into your terminal and it will list out which interfaces are currently up, and which mode they are in (look for "mode: managed" or "mode: monitor").
Check out my blog post about networking in Linux for more on "iwconfig" and the different modes available.

Type:

airmon-ng start [interface]

if your interface is in "managed" or any other mode (ad-hoc, etc) it needs to be switched into monitor mode. Sometimes it will create a new interface for the monitoring, for example, my wireless is "wlan0" and it creates "wlan0mon" or "mon0" for monitoring.
Once it is in "monitor" mode, you can begin.

Make sure you can inject packets into the chosen network (find a network with Kismet (I'll review Kismet later) or your network manager (either Wicd, or network-manager), or with the "airodump-ng [interface]" command in a new terminal. This creates a new .cap file, though).
Type:

aireplay-ng -9 -e [network name] -a [your MAC address] [interface]

This makes sure that you can use your network card to input packets (data) into the targeted network. Your NIC (network interface card) must support injection.

If you can inject, start dumping captured IVs (Initialization Vectors) into a .cap (capture) file with command:

Note: -c x is channel x, where x is 1-11 and not necessary, although, if you know the channel, I would suggest doing the correct channel.
This will bring up a nice interface with your targeted network, the BSSID (MAC that you entered), the "PWR," or how close you are (lower is better!), the "Beacons," which networks send automatically, the #Data, which is the data packets that have been sent over the network (which you have just started capturing!), the #/s which is data packets/s (higher is better for capturing faster!), the "CH," or channel (I'll go over this later), the "MB," the "ENC," or encryption (WEP/WPA/OPEN), the CIPHER (related to the ENC), the AUTH (pass-key or other), and finally the ESSID which is the English or ASCII network name that humans understand more easily than a Hex BSSID.

Now we have to do a "fake authentication" on the network. This is pretty self explanatory, but it authenticates you with the access point. If you didn't run this, the access point would return "deauthenticated" packets, not allowing you to inject packets back into the system.

It should respond "Association successful :-)" if not, try again until it works.
This may take a while, so don't fret if it doesn't work right away. I've had to do this three or four times or more with new terminals and locations until I finally got it, it's just luck sometimes.

Reinject ARP (Address Resolution Protocol) packets back into the network to create network activity. To review ARP, check out my ARP information post and read it thoroughly, it isn't long and gives a good explaination what ARP is all about. What we're basically doing is sending fake messages to create data packets on the network so we can record and crack their password!

Note: you can enter the ACTUAL file name instead of "*.cap" if you know it, or whatever "output prefix" you entered, then *.cap (all in a line, since it concatinates -xxxxx_xxxx after the prefix and before .cap).

Crack the WPA/WPA2 key (if you're not cracking WEP)! Type:

aircrack-ng -w [password list] -b [target network MAC] *.cap

Note: You must have captured the WPA handshake, and again, substitute your capture file accordingly.

For WEP cracking, this should run a terminal with "Tested xxxx keys (got xxxx IVs) and a bunch of gibberish HEX underneath. You can run this while you inject packets. It should find the key eventually unless the network admin or creator disconnects the network or you go out of range of it. Sometimes it only takes as little as 5000 keys, and other times 250,000 keys.
My record is about 2-3 minutes while sitting on a toilet in a flea market; it's fun to see how quickly WEP is broken, so remember ALWAYS use WPA2 with a non-dictionary passkey. You can review more tips about securing your home network at my post here.

For WPA cracking, it runs through a list of passwords (in Backtrack 5 there is a darkc0de.lst with almost a million, if not more, passwords) and checks every one for a match; thus taking quite a bit longer, and if the password is not in the list, impossible to crack through this method.

For further in-depth reading on cracking WEP networks, check out this paper.The aircrack-ng suite includes the below programs, try playing around with them. If you enter the name then --help or -h, usually (almost always) a help page appears with all the commands you can enter.

88 comments:

I'm not sure what your target audience is, but perhaps this post could benefit from more of an introduction to the relevant concepts, such as what WEP and WPA are, what a channel is, what it means for a network card to be in monitor mode, and so on. I think that someone that is only just beginning to learn how to crack, say, a WEP network, has a good chance of being unaware of these things.

Another note is that just giving a command without explaining each of the command line parameters that you use plays into making the reader memorize rather than learn. Granted, the user should be checking man pages or documentation or other sources, but I think that accessibility should be a concern for anyone writing a blog post that is intended to be educational, unless it is for your own personal reference.

@anon, thanks for the feedback, I'll definitely keep updating this as time goes on. Right now I'm on vacation and writing them up, so the content will DEFINITELY increase, partly due to more time and partly due to people like you giving me good feedback. I'm keeping a list of suggestions and information that people want, and I'll take note of your comments, thanks!

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Makesure RFMON is enabled: run 'airmon-ng start eth1 <#>'Sysfs injection support was not found either.

when I run airodump-ng on either eth1 or wlan1 (broadcom and rosewill wireless adapters respectively)

I googled around a lot and tried a few things, but I'm pretty new to Linux. Any tips?

@Evan, I've never used aircrackng with an Ethernet connection, so I'm not sure if there's any difference... but as for your wireless, go to the Aircrackng site and check out the compatible wireless adapters... yours may not be compatible with aircrack, which is sad to say.

What command does that error appear on? Does your test injection works? Your card may not be good enough for packet injection.

Can't wait to get cracki.... TESTING!! i ment testing the security of WEP networks. Especially in Airports like the Schiphol Airport because I looove testing myself a good security. Especially when there's no free wi-fi around.

Unfortunately i have to wait a bit :( My network card is a Broadcom 4331 and so far there's no Linux driver. Curs you Broadcom!

Great Post marshall! I would like to know tho is aircrack -ng the only package i need to do all of this? Im fairly new in linux world and im using ubuntu 11.10 also, once im in a network how do you browse files on other computers connected to the same network?

cool post...been in IT for a couple years and i do network security and pen testing. this is a good guide for newbies. i noticed i had probs capturing IV's in the begining... something you could have injected into this post is what to do when your not capturing IV's. maybe you did and i just skipped over it unwittingly. in any case i like this thread. keep up the good educational work.

I have a question//\\?Why is it that when cracking .cap files for WPA (with valid handshakes) that if the word.lst does not contain the whole passphrase that it cant decrypt it? i set up backtrack and a router with WEP encryption hacked in a matter of mins. first time. but after many try's no luck on WPA (my own router running dd-wrt). i used two words from the darkc0de.lst "drank" and "boobies" but aircrack couldn't find it.

+? so is there a way to modify aircrack-ng (if you were a programer with the know how) to decrypt only half the password, or parts of it at a time? Why cant it decrypt just the "d" in "drank", verify that d is correct, save its progress and just move along to "r". and ultimately resulting in a password with a word.lst with only a-z, numbers and special characters!#$#$^.

now i don't have a full understanding on how the decryption takes place aka what raw data the computer is processing. but just an idea. maybe if it were that simple, they would just have it??

I have a question//\\?Why is it that when cracking .cap files for WPA (with valid handshakes) that if the word.lst does not contain the whole passphrase that it cant decrypt it? i set up backtrack and a router with WEP encryption hacked in a matter of mins. first time. but after many try's no luck on WPA (my own router running dd-wrt). i used two words from the darkc0de.lst "drank" and "boobies" but aircrack couldn't find it.

+? so is there a way to modify aircrack-ng (if you were a programer with the know how) to decrypt only half the password, or parts of it at a time? Why cant it decrypt just the "d" in "drank", verify that d is correct, save its progress and just move along to "r". and ultimately resulting in a password with a word.lst with only a-z, numbers and special characters!#$#$^.

now i don't have a full understanding on how the decryption takes place aka what raw data the computer is processing. but just an idea. maybe if it were that simple, they would just have it??

Nice tutorial, keep up the good work. Its amazing to me how many people are interested in cracking wep. The wpa part is interesting as well, but what many newbs will quickly find, dictionary attacks can take 5mins or 5million years lol. Now is the time to find reaver, if you want to crack Wpa/Wpa2, reaver is a good tool to learn, and its readily available (apt-get install reaver), in linux as any tools.

Reaver IS really cool-- but as far as I know Reaver has not been updated in awhile. The last time I tried to use it I could not get it up and working but I've been considering trying to get it working and write up something about it as WPS is very insecure and definitely something that needs more coverage.

Bro this is some very good advice so far the only thng that works or worked for me.so many pple claim to give advice to mediocre linux users like i and leave other steps out only giving approximately 64% guidance.

My question to you and other advanced computer users is DO I REALI HAVE TO STUDY COMPUTET SCIENCE TO GET TO YOUR LEVEL OF COMPUTER KNOWLEDGE?i mean im already double majoring in mechanics nd economics but i have just developed this passion nd love for computers that i just wanba persue.wanna know everythng ther but i dnt wanna go study as im already fouble majoring.

IF u dnt mind i wud love your guidance in building my progress in acquiring your skills and expetise via e-mail chats via my very own address at sk-dezl@yahoo.com.hope to here from you son bro.cheers

This is the proper website for absolutely everyone who would love to discover about this topic. You recognize a lot its nearly tough to argue with you (no longer that I in reality might want to…HaHa). You definitely put a clean spin on a subject which web has been mentioned for ages. Wonderful stuff, simply brilliant!